Data-Driven Decision Support for Optimizing Cyber Forensic Investigations

Cyber attacks consisting of several attack actions can present considerable challenge to forensic investigations. Consider the case where a cybersecurity breach is suspected following the discovery of one attack action, for example by observing the modification of sensitive registry keys, suspicious network traffic patterns, or the abuse of legitimate credentials. At this point, the investigator can have multiple options as to what to check next to discover the rest, and will likely pick one based on experience and training. This will be the case at each new step. We argue that the efficiency of this aspect of the job, which is the selection of what next step to take, can have significant impact on its overall cost (e.g., the duration) of the investigation and can be improved through the application of constrained optimization techniques. Here, we present DISCLOSE, the first data-driven decision support framework for optimizing forensic investigations of cybersecurity breaches. DISCLOSE benefits from a repository of known adversarial tactics, techniques, and procedures (TTPs), for each of which it harvests threat intelligence information to calculate its probabilistic relations with the rest. These relations, as well as a proximity parameter derived from the projection of quantitative data regarding the adversarial TTPs on an attack life cycle model, are both used as input to our optimization framework. We show the feasibility of this approach in a case study that consists of 31 adversarial TTPs, data collected from 6 interviews with experienced cybersecurity professionals and data extracted from the MITRE ATT&CK STIX repository and the Common Vulnerability Scoring System (CVSS).

[1]  Wei Wang,et al.  Network Forensics Analysis with Evidence Graphs , 2005, DFRWS.

[2]  Wei Wang,et al.  Building evidence graphs for network forensics analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Nicole Beebe,et al.  A hierarchical, objectives-based framework for the digital investigations process , 2005, Digit. Investig..

[4]  Marcus K. Rogers,et al.  A cyber forensics ontology: Creating a new approach to studying cyber forensics , 2006, Digit. Investig..

[5]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[6]  Issa Traoré,et al.  Method ontology for intelligent network forensics analysis , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[7]  Issa Traoré,et al.  The Proactive and Reactive Digital Forensics Investigation Process: A Systematic Literature Review , 2011, ISA.

[8]  Duminda Wijesekera,et al.  Using Attack Graphs in Forensic Examinations , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[9]  Noureddine Boudriga,et al.  A System for Formal Digital Forensic Investigation Aware of Anti-Forensic Attacks , 2012, IEEE Transactions on Information Forensics and Security.

[10]  Duminda Wijesekera,et al.  Mapping evidence graphs to attack graphs , 2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS).

[11]  Eduardo R. Hruschka,et al.  Document Clustering for Forensic Analysis: An Approach for Improving Computer Inspection , 2013, IEEE Transactions on Information Forensics and Security.

[12]  Duminda Wijesekera,et al.  Creating Integrated Evidence Graphs for Network Forensics , 2013, IFIP Int. Conf. Digital Forensics.

[13]  Graeme Horsman,et al.  A case-based reasoning method for locating evidence during digital forensic device triage , 2014, Decis. Support Syst..

[14]  Henry Dalziel,et al.  Cyber Kill Chain , 2015 .

[15]  Benjamin Turnbull,et al.  Automated event and social network extraction from digital evidence sources with ontological mapping , 2015, Digit. Investig..

[16]  M. Tahar Kechadi,et al.  Increasing digital investigator availability through efficient workflow management and automation , 2016, 2016 4th International Symposium on Digital Forensic and Security (ISDFS).

[17]  Ibrahim M. Baggili,et al.  A cyber forensics needs analysis survey: Revisiting the domain's needs a decade later , 2016, Comput. Secur..

[18]  Martín Barrère,et al.  Tracking the bad guys: An efficient forensic methodology to trace multi-step attacks using core attack graphs , 2017, 2017 13th International Conference on Network and Service Management (CNSM).

[19]  Lalu Banoth,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2017 .

[20]  Ferdous Sohel,et al.  Graph clustering and anomaly detection of access control log for forensic purposes , 2017, Digit. Investig..

[21]  V. N. Venkatakrishnan,et al.  SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data , 2018, USENIX Security Symposium.

[22]  Susan Craw,et al.  Case-Based Reasoning , 2010, Encyclopedia of Machine Learning.

[23]  R. Sekar,et al.  Dependence-Preserving Data Compaction for Scalable Forensic Analysis , 2018, USENIX Security Symposium.

[24]  Bo Li,et al.  Get Your Workload in Order: Game Theoretic Prioritization of Database Auditing , 2018, 2018 IEEE 34th International Conference on Data Engineering (ICDE).

[25]  Paul D. Yoo,et al.  From Intrusion Detection to Attacker Attribution: A Comprehensive Survey of Unsupervised Methods , 2018, IEEE Communications Surveys & Tutorials.

[26]  IBM: Cost of a Data Breach Report 2019 , 2019, Computer Fraud & Security.

[27]  Graeme Horsman,et al.  Formalising investigative decision making in digital forensics: Proposing the Digital Evidence Reporting and Decision Support (DERDS) framework , 2019, Digit. Investig..

[28]  Kelly O. Finnerty,et al.  Cyber Security Breaches Survey 2020 , 2019 .

[29]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[30]  Seyed-Amin Hosseini-Seno,et al.  A formal model for event reconstruction in digital forensic investigation , 2019, Digit. Investig..

[31]  Md Nahid Hossain,et al.  Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[32]  Ana Nieto Becoming JUDAS: Correlating Users and Devices During a Digital Investigation , 2020, IEEE Transactions on Information Forensics and Security.

[33]  Branka Stojanovic,et al.  APT datasets and attack modeling for automated detection methods: A review , 2020, Comput. Secur..